In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()
KASAN reports the following issue:
BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798
CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- ---
Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020
Call Trace:
dump_stack+0xa5/0xe6
print_address_description.constprop.0+0x18/0x130
? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
__kasan_report.cold+0x7f/0x114
? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
kasan_report+0x38/0x50
kasan_check_range+0xf5/0x1d0
kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]
? kvm_arch_exit+0x110/0x110 [kvm]
? sched_clock+0x5/0x10
ioapic_write_indirect+0x59f/0x9e0 [kvm]
? static_obj+0xc0/0xc0
? __lock_acquired+0x1d2/0x8c0
? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]
The problem appears to be that 'vcpu_bitmap' is allocated as a single long
on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear
the lower 16 bits of it with bitmap_zero() for no particular reason (my
guess would be that 'bitmap' and 'vcpu_bitmap' variables in
kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed
16-bit long, the later should accommodate all possible vCPUs).
References
Configurations
Configuration 1 (hide)
|
History
30 Dec 2024, 20:01
Type | Values Removed | Values Added |
---|---|---|
References | () https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69 - Patch | |
References | () https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792 - Patch | |
References | () https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.1 |
CPE | cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* |
|
CWE | CWE-125 | |
First Time |
Linux
Linux linux Kernel |
21 Nov 2024, 06:36
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References | () https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69 - | |
References | () https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792 - | |
References | () https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b - |
21 May 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-05-21 15:15
Updated : 2024-12-30 20:01
NVD link : CVE-2021-47390
Mitre link : CVE-2021-47390
CVE.ORG link : CVE-2021-47390
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-125
Out-of-bounds Read